![]() | Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition | ||
|
|
![]() |
||||||||||||
Solution Type Technical Instruction Sure Solution 1019675.1 : KMS - Tips To Successfully Add A KMA To A Cluster
PreviouslyPublishedAs 243526
Applies to:Sun StorageTek Crypto Key Management System - Version: Not ApplicableAll Platforms Checked for relevance on 10-Feb-2011. GoalTips to successfully add a KMA to a Cluster.SolutionSteps to Follow When adding a new KMA to an existing KMS Cluster, first the new KMA has to be defined in the KMS Cluster using the Create command on the KMA List screen while connected to an existing KMA in the Cluster. This will define the new KMA in the Cluster and allow the actual new KMA to join the Cluster. Values that need to be entered carefully when Quickstarting the new KMA that is to be added/joined to the existing KMS Cluster: Joining KMA's Name - must match value defined in existing KMS Cluster for the new KMA IP address or hostname of existing KMA in KMS Cluster (i.e. the "target KMA") - needs to be correct so new KMA can find the existing KMS Cluster Joining KMA's passphrase - must match value defined in existing KMS Cluster for the new KMA Quorum Credentials - must match Quorum Credentials in existing KMS Cluster Attributes of new KMA that may need checked in existing KMS Cluster: Failed Login Attempts - When a join of the new KMA fails due to an incorrect KMA passphrase, this value will be incremented. If this value is equal to or greater than the "Login Attempt Limit" value in the Security Parameters of the KMS Cluster, then the new KMA will be locked out and will not be able to join the KMS Cluster until the KMA's passphrase is reset in the KMS Cluster. Join KMA to Existing Cluster potential problems: 1. Incorrect KMA Name for joining KMA entered in Quickstart On KMA already in Cluster should see error audit similar to: Operation: Retrieve Root CA Certificate Severity: Error Condition: Entity is not valid Entity ID: Name of joining KMA (as entered in joining KMA's Quickstart, in this case it will be incorrect) Message Values: Check KMA Name defined in KMS Cluster and enter correctly when Quickstarting new KMA again. 2. Incorrect IP address or hostname for target KMA or incorrect network configuration for joining KMA entered in Quickstart On KMA already in Cluster there will not be any audits indicating the joining KMA was able to contact the target KMA. Look for the following audit after the point in time when the join was performed: Operation: Retrieve Root CA Certificate Entity ID: Name of joining KMA (as entered in joining KMA's Quickstart) This is the first audit created in the Cluster when the joining KMA attempts to join the Cluster, if this audit does not exist (whether it is "Success" or "Error") then the joining KMA was not able to find the Cluster. Check that IP address or hostname of target KMA is correct and enter correctly when Quickstarting new KMA again. Also check that network configuration of joining KMA is correct and enter correctly when Quickstarting new KMA again. 3. Incorrect passphrase for joining KMA entered in Quickstart On KMA already in Cluster should see error audit similar to: Operation: Retrieve Entity Certificate Severity: Error Condition: Invalid Challenge response Entity ID: Name of joining KMA Message Values: Verify correct passphrase for new KMA is being entered (if necessary reset passphrase for new KMA in Cluster) and enter correctly when Quickstarting new KMA again. 4. Joining KMA's passphrase entered incorrectly too many times in Quickstart On KMA already in Cluster should see that new KMA's Failed Login Attempts value is equal to or greater than the Login Attempt Limit in the Cluster's Security Parameters. On KMA already in Cluster should see error audit similar to: Operation: Retrieve Entity Certificate Severity: Error Condition: Failed login attempts limit exceeded Entity ID: Name of joining KMA Message Values: Reset passphrase for new KMA in Cluster and enter passphrase correctly when Quickstarting new KMA again. 5. Incorrect Quorum User Name(s) on insufficient Quorum User Name(s) entered in Quickstart On KMA already in Cluster should see error audit similar to: Operation: Join Cluster Severity: Error Condition: Invalid input Entity ID: Name of joining KMA Message Values: KMA ID = x, KMA Name = Name of joining KMA, Management Network Address = x, Service Network Address = x, KMA Version = x, Rejoin = FALSE, Quorum Key Split User Name = x1, Quorum Key Split User Name = x2, ... Check "Quorum Key Split User Name" values to make sure they match what is defined in the cluster and that a sufficient number of them were provided and entered correctly when Quickstarting a new KMA again. 6. Incorrect Quorum User Passphrase(s) entered in Quickstart On KMA already in Cluster should see error audit similar to: Operation: Join Cluster Severity: Error Condition: Invalid Quorum passphrase Entity ID: Name of joining KMA Message Values: KMA ID = x, KMA Name = Name of joining KMA, Management Network Address = x, Service Network Address = x, KMA Version = x, Rejoin = FALSE, Quorum Key Split User Name = x1, Quorum Key Split User Name = x2, ... Verify correct passphrase(s) for Quorum are being entered and enter correctly when Quickstarting new KMA again. @ KMS, KMA, Incorrect Quorum User Passphrase, Incorrect Quorum User Name, Joining KMA's passphrase entered incorrectly too many times in Quickstart,Incorrect IP address or hostname for target KMA, Incorrect KMA Name Cluster Attachments This solution has no attachment |
||||||||||||
|